Certified in Risk and Information Systems Control (CRISC) — Question 665

During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?

Answer options

• A. Escalate the non-cooperation to management
• B. Exclude applicable controls from the assessment
• C. Review the supplier's contractual obligations
• D. Request risk acceptance from the business process owner

Correct answer: C

Explanation

The correct answer is C, as reviewing the supplier's contractual obligations can reveal what information they are required to provide, potentially clarifying the situation. Option A is inappropriate as escalating the issue may not resolve the lack of information. Option B is not advisable since it compromises the assessment's thoroughness, and option D does not address the root issue of obtaining necessary control information.